The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Network security systems use information about data traffic to identify malicious incidents in communications networks. Unfortunately, some benign data traffic is often incorrectly classified as malicious, while some malicious traffic is often incorrectly classified as benign. Incorrect classifications may lead to incorrect reports and false alarms.
Inaccuracies in reports generated by network security systems are often caused by inabilities to correctly identify attacks caused by complex and sophisticated malware. For example, some of the attacks launched by herders of command-and-control (C2) enterprises are often extensively decentralized, and thus it may be difficult to identify their origin or their characteristics. Such attacks often remain undetected or incorrectly classified.
Problems with detecting malicious attacks may be compounded by various shortcomings of the network security systems. For example, some of the network security systems incorrectly prioritize the detected incidents or fail to associate correct context to the detected incidents. Other network security systems incorrectly group the incident data received from multiple networks or multiple systems.